To configure the log source type for QRadar, perform the following procedure.

Note:

• If the Log Source is created automatically, the Coalescing Events option is enabled. Coalescing Events means that when a log source emits multiple similar events in a short time span, they are aggregated. The event count of the single event reflects the number of events that have been aggregated. This feature reduces the storage cost of events. If you want separate events in QRadar for similar alerts, you can disable this option.
• If you encounter problems setting up the Log Source, see Troubleshooting the Carbon Black Cloud App in IBM QRadar.
• If the autodetection and creation of the Log Source fails, you can manually create a Log Source following the steps described in Create Syslog Log Source for IBM QRadar.

Prerequisites

The Carbon Black Cloud app for QRadar must be installed so that the Carbon Black Cloud extension is available. See Install and Configure the Carbon Black Cloud App for IBM QRadar.

Procedure

1. Open the QRadar console.
2. Go to Admin > DSM Editor.
3. In the pop-up window, search for Carbon Black Cloud and click Select.
4. Click the Configuration tab.
5. Toggle ON the Enable Log Source Autodetection option.
6. Click Show Advanced Options.
7. Select a value for Minimum Successful Events for Autodetection - we recommend a low number for this field.
8. You can optionally choose a custom name for the Log Source by editing the Log Source Name Template value. The default Log Source name is CarbonBlackCloudCustom @ localhost.
9. Click Save and close the DSM Editor.